when deploying artifacts from AzureDevops to Azure app service got the error

Question

When deploying artifacts from AzureDevops to Azure app service got the error like described below

##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'tumlinsonelectric-production'. Error: Could not fetch access token for Azure. Status code: invalid_client, status message: Error(s): 7000215 - Timestamp: 2025-07-02 08:35:16Z - Description: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'. Trace ID: b0968b5d-d50b-4836-be59-afe0342d3600 Correlation ID: 8fbafe67-d8ce-4e00-9f81-a287ae4ef460 Timestamp: 2025-07-02 08:35:16Z - Correlation ID: 8fbafe67-d8ce-4e00-9f81-a287ae4ef460 - Trace ID: b0968b5d-d50b-4836-be59-afe0342d3600 

Although I have created new app registration keys in azure portal instead of expired, seems I missed some steps, could you please help me to understand what steps are required to update client secret keys in azure portal and make it possible to deploy artifacts from Azure Devops to Azure Portal?
Thanks in advance.

Answer 1

Hi Aleksandr Zhadetsky

Could you please follow the steps:

1. Go to Azure Portal -> Microsoft Entra ID -> App registrations -> Select your app (e.g., the one used in the service connection) -> Navigate to Certificates & secrets -> Click + New client secret
   • Add a description and choose an expiration (e.g., 12 or 24 months)
   • Copy the secret value immediately.
2. Now In Azure DevOps -> go to your project -> Project Settings -> Service connections -> Select the service connection used for deployment (likely of type Azure Resource Manager) -> Choose Service principal (manual) authentication -> Paste the new client secret value into the appropriate field and also fill all the required details -> Save.

Ensure the app registration (service principal) has Contributor access to the target App Service.

Additional References:

https://learn.microsoft.com/en-us/azure/industry/training-services/microsoft-community-training/public-preview-version/frequently-asked-questions/generate-new-clientsecret-link-to-key-vault

https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops

Hope this helps!

Please Let me know if you have any queries.

Answer 2

Hi Aleksandr Zhadetsky

The Service principal (manual) authentication method is only available when creating a new service connection, not when editing an existing one. In your screenshot, you're viewing an existing Azure Resource Manager service connection, which doesn’t expose the client secret field for editing once it's created.

Also Ensure you must be a Project Administrator in Azure DevOps to edit service connections. Go to Azure DevOps -> Project Settings -> Permissions -> Click on your user or group and ensure you’re in the Project Administrators group.

Then recreate the Service Connection by navigating to Azure DevOps -> go to your project -> Project Settings -> Service connections -> Select the service connection used for deployment (likely of type Azure Resource Manager) -> Choose Service principal (manual) authentication -> Paste the new client secret value into the appropriate field and also fill all the required details -> Save.

Additional References:

https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops

Hope this helps!

Please Let me know if you have any queries.